PaulDotCom mailing list archives
Re: Disabling Acrobat JavaScript
From: "Dahl, Kevin" <Kevin.Dahl () ARS USDA GOV>
Date: Wed, 16 Jun 2010 09:34:19 -0600
No problem.... I also found some inconsistencies between Acrobat v8 and Reader v9 (Didn't have Acrobat v9 to test on at the time) when viewing the PDF in the browser...... Things worked nicely in Reader v9 in terms of allowing the JS to run....when you clicked "allow for the this document only"....the yellow bar turned purple and all was well In Acrobat v8.... When you clicked allow.... It would open the PDF document in a new tab and the yellow bar still appeared at the top teeling you JS was disabled..... Didn't have any other sites to test with at the time, so I'm not sure if this problem was specific to that particular site..... K-Dee --------------------------------------------------- Kevin Dahl -- IT Specialist USDA / ARS / NPARL, Sidney, MT --------------------------------------------------- -----Original Message----- From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Bugbear Sent: Tuesday, June 15, 2010 1:44 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript that is very good news indeed, thanks for the info On Tue, Jun 15, 2010 at 12:15 PM, Dahl, Kevin <Kevin.Dahl () ars usda gov> wrote:
Glad it was of some help. One caveat (and its a big one), if the pdfhas js init it will prompt the user to enable when opened. This will turn theoption back on. (Based my testing back in january) That horrible "feature" no longer exists in v9.3.2 and v8.2.2 (possibly 9.3.1/8.2.1) There is now a trust model and you can trust specific docs and/or specific sites..... And the JS will only be allowed to run in those docs/sites..... If you have javascript disabled, you get a yellow bar across the top of the document telling you the document has JS in it.....and then you have the option of turning on JS for that PDF or for that whole site..... K-Dee -----Original Message----- From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Bugbear Sent: Tuesday, June 15, 2010 6:05 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript Glad it was of some help. One caveat (and its a big one), if the pdf has js in it it will prompt the user to enable when opened. This will turn the option back on. (Based my testing back in january) This one reason I also use the blacklisting option as well (see vrt lin earlier) In addition to gpo's, if you have a patch mgmt system that supports autofix on a set interval, you could certainly script it This would be very useful in situations where computers do not get logged off or rebooted for long periods of time Combined with no admin rights, av, ips, email filtering I rarely see exploitation Would love to see a way to perm disable however. @bradarkin on twitter has very responsive to my suggestions regarding advisories, etc... Would likw to see more people make suggestions like this (apply some pressure if you will) Tim @bug_bear On 6/11/10, Craig Freyman <craigfreyman () gmail com> wrote:I ended up using BugBear's suggestion. It's working great. On Thu, Jun 10, 2010 at 6:09 PM, Jody & Jennifer McCluggage < j2mccluggage () adelphia net> wrote:Have you tried using Group Policy Preferences? I have had better luck managing registry settings using them. They were first includedwith Windows 2008 and are included in 7 but can be downloaded and installed on XP and Vista too. Jody -----Original Message----- From: pauldotcom-bounces () mail pauldotcom com [mailto:pauldotcom-bounces () mail pauldotcom com] On Behalf Of Gibson, Samuel Sent: Thursday, June 10, 2010 8:43 AM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript I have had mixed luck with the ADM template. If the user manually enables javascript it seems to stay enabled. I ended up using the instructions found here: http://www.grouppolicy.biz/2010/01/how-to-make-adobe-reader-more-sec u re-usin g-group-policy/ along with the registry values contained in the ADM template below tocreate a GPO. In testing it seems to be working quite well. It alsodisables javascript each time the employee logs in. ________________________________________ From: pauldotcom-bounces () mail pauldotcom com [pauldotcom-bounces () mail pauldotcom com] on behalf of Bugbear [gbugbear () gmail com] Sent: Tuesday, June 08, 2010 9:04 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Disabling Acrobat JavaScript I use custom GPO or mgmt system that can edit HKCU a logon script for the user is another option Also check out the blacklist framework post my ranting I have compiled some info here (hey it was the holidays and I was annoyed) http://securitybraindump.blogspot.com/2009/12/adobes-0-face.html and also VRT has done some good research here http://vrt-sourcefire.blogspot.com/2010/01/acrobat-javascript-blackl i st-fram ework.html here's an ADM template for GPO, hope this helps CLASS USER CATEGORY "Adobe Acrobat/Reader 7.x - 9.x" POLICY "JavaScript Reader 9.x" KEYNAME "Software\Adobe\Acrobat Reader\9.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 9.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 9.x" KEYNAME "Software\Adobe\Adobe Acrobat\9.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 9.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Reader 8.x" KEYNAME "Software\Adobe\Acrobat Reader\8.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 8.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 8.x" KEYNAME "Software\Adobe\Adobe Acrobat\8.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 8.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Reader 7.x" KEYNAME "Software\Adobe\Acrobat Reader\7.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat Reader 7.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY POLICY "JavaScript Acrobat 7.x" KEYNAME "Software\Adobe\Adobe Acrobat\7.0\JSPrefs" EXPLAIN "Enable or Disable JavaScript in Acrobat 7.x" VALUENAME "bEnableJS" VALUEON NUMERIC 1 VALUEOFF NUMERIC 0 END POLICY END CATEGORY On Tue, Jun 8, 2010 at 6:09 PM, Craig Freyman <craigfreyman () gmail com> wrote:What have some of you done to disable JavaScript in Acrobat Standard/Pro as well as Acrobat Reader from a corporateperspective?I am referring to installations that are already in place. CustomGPO?I've found a few articles describing the registry setting: [HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\8.0\JSPrefs] "bEnableJS"=dword:00000000 This will work for XP clients but this key isn't in this place on my Windows 7 box. It is under HKEY_Users\(MY SID)\Software\Adobe....... If this is the case, if I'll have to write a script that grabs the user's SID before running the registry file on login. Any other options people have used? _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Sent from my mobile device _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Disabling Acrobat JavaScript, (continued)
- Disabling Acrobat JavaScript Craig Freyman (Jun 08)
- Disabling Acrobat JavaScript Gibson, Samuel (Jun 10)
- Disabling Acrobat JavaScript Jody & Jennifer McCluggage (Jun 10)
- Disabling Acrobat JavaScript Craig Freyman (Jun 11)
- Disabling Acrobat JavaScript Bugbear (Jun 15)
- Disabling Acrobat JavaScript Dahl, Kevin (Jun 15)
- Disabling Acrobat JavaScript Bugbear (Jun 15)
- Disabling Acrobat JavaScript Jody & Jennifer McCluggage (Jun 15)
- Re: Disabling Acrobat JavaScript Bugbear (Jun 16)
- Re: Disabling Acrobat JavaScript Dahl, Kevin (Jun 16)
- Re: Disabling Acrobat JavaScript Dahl, Kevin (Jun 16)